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REMARKS 

The Final Office Action mailed November 10, 2009 considered and rejected claims 24- 
28, 34 and 36-45. Claims 24, 34, 40-43, and 45 were objected to because of informalities. 
Claims 24-28, 34, and 36-45 were rejected under 35 U.S.C. 103(a) as being unpatentable over 
Glasser (US 6,061,684) hereinafter Glasser in view of Nowicki (US 7,146,377) hereinafter 
Nowicki} 

By this amendment, claims 24, 34, 36, 37, 42, and 43 are amended and claims 26 and 39 
are cancelled. 2 Accordingly, claims 24-25, 27-28, 34-38 and 40-45 are pending of which claims 
24 and 34 are the independent claims at issue. 

The invention is generally directed to zone based security administration for data entities. 
For example, claim 24 recites a method of authenticating principal identity and then splitting the 
one or more non-overlapping security zones into a plurality of non-overlapping security zones to 
facilitate more efficient delegation of rights to principals. Claims 24 recites accessing a first 
access control list that defines administrative rights based on common security rules that 
principals are to have in an existing non-overlapping zone from among the one or more non- 
overlapping zones. Authentication information is accessed that that specifies the identity of the 
principals that are to have the administrative rights in the existing non-overlapping zone 

Claim 24 further recites authenticating the principals by verifying the identity of the 
principals by using the authentication information and by verifying that the principals are to have 
the administrative rights defined in the first access control list. 

A grouping of data items and method items in the combined item hierarchy for which 
new common security rules are to be enforced is identified. The identified grouping of data 
items and method items are currently included in the existing non-overlapping zone from among 
the one or more non-overlapping zones. Existing common security rules are enforced within the 
existing non-overlapping zone and the new common security rules differing from the existing 
common security rules. 



1 Although the prior art status of the cited art is not being challenged at this time, Applicant reserves the right to 
challenge the prior art status of the cited art at any appropriate time, should it arise. Accordingly, any arguments and 
amendments made herein should not be construed as acquiescing to any prior art status of the cited art. 

2 Support for the amendments to the claims are found throughout the specification and previously presented claims, 
including but not limited to paragraphs [0022]- [0031], [0044]-[0051], [0053], [0055], [0058], [0063] and Figures 1 
and 3. 
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A processor re-configures the one or more non-overlapping security zones so that rights 
can be delegated at a granularity that is finer than an entire database but yet coarse enough so as 
to not require delegation for each item. Re-configuring includes splitting the existing non- 
overlapping security zone into a new non-overlapping security zone and a remnant of the 
existing non-overlapping security zone. The arrangement of the new non-overlapping security 
zone relative to the remnant of the existing non-overlapping security zone is based on the 
location of the identified grouping of data items and method items within the combined item 
hierarchy. The new non-overlapping security zone is for containing the identified grouping of 
data items and methods items. The remnant of the existing non-overlapping security zone 
contains at least one data item or method item from the existing non-overlapping security zone. 
Accordingly, splitting is restricted in such a way as to prevent overlapping between security 
zones and such that none of the data items and method items are included in more than one 
security zone. Re-configuring also includes adjusting data properties of each of the items in the 
identified grouping of data items and method items to represent that the identified grouping of 
data items and method items are contained in the new non-overlapping security zone. 

For any principals that had existing rights in the existing non-overlapping security zone 
based on the existing common security rules being enforced in the existing non-overlapping 
security zone at the time the existing non-overlapping zone was split, those rights are retained. 
Thus, the rights are retained in the identified grouping of data items and methods items, 
subsequent to splitting the existing non-overlapping security zone and subsequent to adjusting 
data properties to represent that the identified grouping of data items and methods items are 
contained in the new non-overlapping security zone. 

Claim 24 then recites granting other rights in the new non-overlapping security zone to 
one or more additional principals in accordance with the new common security rules. Assigning 
the other rights to the new non-overlapping zone collectively grants the other rights to each item 
in the identified grouping of data items and method items through the assignment of the other 
rights to the new non-overlapping security zone. The other rights differ from the existing rights. 

Claim 34 is a computer program product claim corresponding to the method of claim 24. 

Glasser teaches a unified and straightforward approach to managing file and other 
resource security in a networked computing environment. A resource is organized as a hierarchy 
of elements with a root element at the top of the hierarchy and additional elements below the root 
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element. A request is received to change a protection, such as an access permission, of an 
element of the resource hierarchy (other than the root) with respect to a particular network user. 
If the element in question lacks an associated access control list, a nearest ancestor element of 
the hierarchy is located that has an associated access control list. The first (descendant) element 
inherits the access control list of the second (ancestor) element. This inheritance is done by 
generating a copy of the access control list of the second element and associating the generated 
copy with the first element. The requested change in protection is then incorporated into the 
generated copy that has been associated with the first element so as to establish an updated 
access control list for the first element. Further, the requested change can be propagated 
downwards in the hierarchy from the first element to its descendants having access control lists. 

Nowicki teaches a metadata management system (MDS) that may include partitioned 
migratable metadata. Metadata may be stored in multiple metadata partitions (102-0 to 102-11). 
Each metadata partition may be assigned to a particular system resource (104-0 to 104-5). 
According to predetermined policies, such as metadata aging, metadata stored in one metadata 
partition may be migrated to a different metadata partition. A forwarding object can be placed in 
the old metadata partition to indicate the new location of the migrated metadata. Metadata 
partitions (102-0 to 102-11) may be reassigned to different resources, split and/or merged 
allowing a high degree of scalability, as well as flexibility in meeting storage system needs. 

Accordingly Glasser and Nowicki, either singularly or in combination teach of suggest 

• accessing a first access control list, the first access control list defining rights 
based on common security rules that principals are to have in an existing non- 
overlapping zone from among the one or more non-overlapping zones; 

• accessing authentication information that specifies the identity of the principals 
that are to have the rights in the existing non-overlapping zone; 

• authenticating the principals by verifying the identity of the principals by using 
the authentication information and by verifying that the principals are to have the 
rights defined in the first access control list 

The other art of record fail to compensate for the deficiencies of Glasser and Nowicki and 
is not cited as teaching such. Accordingly, the art of record either singularly or in combination, 
fail to teach or suggest: 
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an act of accessing a first access control list, the first access control list defining 
rights based on common security rules that principals are to have in an existing non- 
overlapping zone from among the one or more non-overlapping zones; 

an act of accessing authentication information that specifies the identity of the 
principals that are to have the rights in the existing non-overlapping zone; 

an act of authenticating the principals by verifying the identity of the principals by 
using the authentication information and by verifying that the principals are to have the 
rights defined in the first access control list 

as recited in claim 24, when viewed in combination with the other limitations of claim 24. For at 
least this reason, claim 24 patentably defines over the art of record. For at least similar reasons, 
claim 34 also patentably defines over the art of record. Each of the dependent claims depend 
from claims 24 and 34. Thus, each of the dependent claims also patentably define over the art of 
record for at least the same reason as their corresponding base claim. 

The Office Action has objected to the 24, 34, 40-43, and 45 for various informalities. 
Applicants note that the amendments made herein have overcome these rejections. Accordingly, 
Applicants request that the objections be withdrawn. 

In view of the foregoing, Applicant respectfully submits that the other rejections to the 
claims are now moot and do not, therefore, need to be addressed individually at this time. It will 
be appreciated, however, that this should not be construed as Applicant acquiescing to any of the 
purported teachings or assertions made in the last action regarding the cited art or the pending 
application, including any official notice. Instead, Applicant reserves the right to challenge any 
of the purported teachings or assertions made in the last action at any appropriate time in the 
future, should the need arise. Furthermore, to the extent that the Examiner has relied on any 
Official Notice, explicitly or implicitly, Applicant specifically requests that the Examiner 
provide references supporting the teachings officially noticed, as well as the required motivation 
or suggestion to combine the relied upon notice with the other art of record. 

In the event that the Examiner finds remaining impediment to a prompt allowance of this 
application that may be clarified through a telephone interview, the Examiner is requested to 
contact the undersigned attorney at (801) 533-9800. 
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The Commissioner is hereby authorized to charge payment of any of the following fees 
that may be applicable to this communication, or credit any overpayment, to Deposit Account 
No. 23-3178: (1) any filing fees required under 37 CFR § 1.16; and/or (2) any patent application 
and reexamination processing fees under 37 CFR § 1.17; and/or (3) any post issuance fees under 
37 CFR § 1.20. In addition, if any additional extension of time is required, which has not 
otherwise been requested, please consider this a petition therefore and charge any additional fees 
that may be required to Deposit Account No. 23-3178. 



Dated this T day of May, 2010. 



Respectfully submitted, 




RICK D.N YDEGGER 
Registration No. 28,651 
MICHAEL B. DODD 
Registration No. 46,437 
SHANE K. JENSEN 



Registration No. 55,301 
Attorneys for Applicant 
Customer No. 047973 
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